topic Authentication checking multiple policies Cisco ISE in Network Access Control

Authentication checking multiple policies Cisco ISE

iVicMMac — Fri, 14 Jan 2022 17:22:28 GMT

Hello Team,

I've trying to configure the authentication of users checking multiple policies on the 'Policy Sets' but no success, I mean, I want to know if the ISE is able to follow the next flow:

USER -> Policy 1 - NOT FOUND -> Policy 2 - NOT FOUND -> Policy 3 - NOT FOUND -> Policy 4 FOUND!! Access granted!

Thanks in advance.

Re: Authentication checking multiple policies Cisco ISE

ericsmi — Fri, 14 Jan 2022 17:33:41 GMT

Use an Identity Source Sequence to accomplish this.

Re: Authentication checking multiple policies Cisco ISE

iVicMMac — Fri, 14 Jan 2022 19:26:25 GMT

I think in my design its not possible to implement through this feature, is there any alternative?

Re: Authentication checking multiple policies Cisco ISE

thomas — Sun, 16 Jan 2022 01:16:33 GMT

Are you using multiple Policy Sets or only the Default Policy Set?

The ISE LiveLog Details will show you what identity store it tried to authenticate against and what it matched for the Authorization Rule (Policy Set > Authorization Rule). The LiveLog will show you the Authorization Profile it assigned from your Authz Rule, too.

I just did an ISE for the Zero Trust Workplace webinar last week and performed a demo of an authentication and showed how you can see the matching policy in the LiveLog. It will be posted to our CiscoISE YouTube Channel this next week.

Re: Authentication checking multiple policies Cisco ISE

iVicMMac — Mon, 17 Jan 2022 14:53:09 GMT

Hi Thomas,

Yeah, Im using multiple policy sets in my ocnfiguration, basically the problem is, there is a implicit Deny on each policy, this avoid to check the next policy, so, when I try to log in whtn the user 3(which is under policy 3) the ISE only checks the Policy 1, therefore the access is denied, because the user does not exist in policy 1

Re: Authentication checking multiple policies Cisco ISE

Greg Gibbs — Mon, 17 Jan 2022 21:46:07 GMT

When a session matches the conditions for a Policy Set, it will be evaluated only by the AuthC and AuthZ Policies within that Policy Set. There is no 'implicit deny' on the AuthC/AuthZ Policies. You can configure either a Permit (ACCESS_ACCEPT) or Deny (ACCESS_REJECT) for the Default AuthC/AuthZ Policies within a Policy Set, but the session will never continue past that Default AuthC/AuthZ policy. The ISE policy flow cannot be configured such that one Policy Set is evaluated and if no match, continue to a different Policy Set.

You will need to re-evaluate what you are trying to accomplish and look at possibly collapsing your Policy Sets and maybe using some sort of Identity Source Sequence.

Re: Authentication checking multiple policies Cisco ISE

iVicMMac — Mon, 17 Jan 2022 23:57:02 GMT

thank you